Linux and UNIX Framework Clients

All clients here are built using a common framework. The only difference is the actual log parser subroutine. The
clients are written in Perl. A minimum Perl installation should work for each of them. No extra modules are
required

Framework Development Kit

If you want to develop a new client for a different firewall, or submit a bug fix for one of the existing framework
clients, please download and use our Framework Development Kit. This contains a few simple scripts that we use to
assemble the above clients. Life will go a lot smoother if you use this, rather then working from a modified version
of one of the above scripts. Please.

Security

Even though the easiest way to run scripts like this is to run them as root, it is always dangerous to run anything
as root. Consider creating a user that has just enough privileges to run the script. This can be achieved by
creating a user and group called 'dshield'. The log files have to be owned by the group 'dshield' and readable by it
(chmod 640). Create the cron job as this user.

Installing the script as a cron job

you put dshield.cnf.txt and the dshield*exclude.lst exclusion
files in /etc

you set 'whereto=MAIL' and the other mail variables in /etc/dshield.cnf

you set 'verbose=y' and 'debug=Y' in /etc/dshield.cnf

the script is named 'iptables.pl' and is in /home/dshield/bin. (Adjust as necessary.)

(You must be a user that has the appropriate privileges to read the system log file that contains the firewall
logging information when doing this.)

First check to see if there are any existing cron jobs by typing crontab -l. If there are any
existing jobs, make a safety backup by typing crontab -l > mycrons.cron. This will
save your current list of cron jobs in mycrons.cron.

Then edit the crontab

crontab -e

This will load the current list of cron jobs in your default editor. (Which is specified by the VISUAL or EDITOR
environment variables. Setting this is system dependent. You may be able to set this variable in your
.bashrc file.)

(Substitute the name of the script you are running in place of iptables.pl. And please change the
time. Otherwise, we will receive all logs at the same time ;-)

Once you quit your editor, this new crontab will be installed.) When this is loaded into cron, cron will execute
this job at 3:10 am. This job will run the /home/dshield/bin/iptables.pl script. /home/dshield/bin/iptables.pl will
read /etc/dshield.cnf for configuration information.

The output(i.e., verbose and debug) will be redirected to /home/dshield/bin/iptables_debug.txt. You can examine this
in your editor. (Note that /home/dshield/bin/ipdables_debug.txt will be overwritten each time the cron job runs this
job.)

Type crontab -l to display the current crontab (i.e., what we just did.)

If you want to change cron parameters, say to make the script execute more (or less) often, edit the crontab using
crontab -e and then install it again.